Operation Lightning was executed on March 12 by Europol, in collaboration with multiple law enforcement agencies. The coordinated effort targeted the malicious proxy service ‘SocksEscort’, which allegedly compromised over 369 000 routers and Internet of Things (IoT) devices in 163 countries, and offered ‘SocksEscort’ customers over 35,000 proxies in recent years.
Law enforcement agencies from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania and the USA, alongside Eurojust and Europol, successfully took down and seized 34 domains as well as 23 servers located in seven countries.
The United States also froze a total of US$3.5 million in cryptocurrency. The infected modems used to offer the proxy service have been disconnected from the service. Following this takedown, law enforcement authorities will alert the affected countries, paving the way for further investigative initiatives.
Malicious service platform
The website offered a paid proxy service, giving its customers access to the compromised IP addresses, allowing them to hide their own. Access to the used IP addresses was made possible by infecting malware on modems belonging to individuals or organisations across the globe. Upon infection with the malware, the modems’ owners would not be aware that their IP addresses were used for illegitimate activities.
To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers
Months-long investigation
The investigation, which began in June 2025 with the opening of a case by Europol’s Joint Cyberaction Task Force (J-CAT), revealed that a botnet of infected devices was created. These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM).
The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities. To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.
Why it matters
“Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection,” said Catherine De Bolle, Executive Director of Europol. “By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale. Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.”
Further reading
Europol and international partners disrupt ‘SocksEscort’ proxy service. Press releaase. March 12, 2026. Europol.
